b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                  Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       PeoplePlus Security Controls\n       Need Improvement\n\n       Report No. 2005-P-00019   \n\n\n\n       July 28, 2005    \n\n\x0cReport Contributors:\t              Rudolph M. Brevard\n                                   Corey Costango\n                                   Warren Brooks\n                                   William Coker\n\n\n\n\nAbbreviations\n\nEPA          Environmental Protection Agency\nHR           Human Resources\nIT           Information Technology\nNACIC        National Agency Check with Inquiries and Credit\nOARM         Office of Administration and Resources Management\nOCFO         Office of the Chief Financial Officer\nOFS          Office of Financial Services\nOHR          Office of Human Resources\nOIG          Office of Inspector General\nPAR          Personnel action request\nPPL          PeoplePlus\nTOPOs        Task Order Project Officers\n\x0c                                                                                                      2005-P-00019\n                                                                                                       July 28, 2005\n                        U.S. Environmental Protection Agency\n                        Office of Inspector General\n\n\n                        At a Glance\n\n                                                                          Catalyst for Improving the Environment\n\n\nWhy We Did This Review            PeoplePlus Security Controls Need Improvement\n\nOur objectives were to             What We Found\ndetermine whether: (1) the\nEnvironmental Protection          Our review identified three significant issues in the security administration of\nAgency (EPA) adequately           PeoplePlus (PPL). First, the Agency had not followed prescribed procedures for\nconfigured PeoplePlus\xe2\x80\x99            managing user access privileges, monitoring changes in employee responsibilities,\napplication security and          and processing system access requests. Second, EPA did not verify or conduct the\ntechnical infrastructure to       required National Agency Check with Inquiries and Credit background screenings\nprotect the confidentiality,      for 45 percent (10 of 22) of contractor personnel with PPL access. Third, EPA\nintegrity, and availability of    implemented PPL without adequately implementing security controls for two key\nsystem data; and (2)              processes. Specifically, OCFO had not properly secured default user IDs and did\nimplemented controls were         not adequately separate incompatible duties performed by the Security\nworking as intended.              Administrator.\n\nBackground\n                                   What We Recommend\nPeoplePlus is the EPA\xe2\x80\x99s new\nintegrated human resources\n                                  We recommend the Directors of EPA\xe2\x80\x99s Office of Financial Services (OFS) and\n(HR), benefits, payroll, and\n                                  Office of Human Resources (OHR) take 13 actions to improve PPL security\ntime and labor system that is\n                                  controls. These recommendations address areas where EPA could improve user\nmanaged jointly by the Office\n                                  access management and contractor background screening procedures. These\nof the Chief Financial Officer\n                                  recommendations include: (1) reinforcing the requirements to follow prescribed\n(OCFO) and the Office of\n                                  policies and procedures; (2) providing a training program to increase awareness\nAdministration and Resources\n                                  and ability to perform security duties; (3) evaluating the need for system\nManagement (OARM). Both\n                                  development contractors to have access to the production environment; and\nHR and payroll data are\n                                  (4) establishing a milestone date to complete contractor background screening.\nprocessed to comply with\n                                  We recommend that EPA evaluate all default user IDs to secure them, and assign\nFederal, State, and EPA\n                                  Security Administrators\xe2\x80\x99 responsibilities in a manner that provides adequate\nreporting requirements.\n                                  separation of incompatible duties. EPA concurred with all of our\nFor further information,          recommendations and provided a plan of action to address concerns.\ncontact our Office of\nCongressional and Public\nLiaison at (202) 566-2391.\n\nTo view the full report,\nclick on the following link:\n\nwww.epa.gov/oig/reports/2005/\n20050728-2005-P-00019.pdf\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF \n\n                                                                                  INSPECTOR GENERAL\n\n\n                                          July 28, 2005\n\nMEMORANDUM\n\nSUBJECT:               PeoplePlus Security Controls Need Improvement\n                       Report No. 2005-P-00019\n\nFROM:                  Rudolph M. Brevard, Acting Director /s/\n                       Business Systems Audits\n\nTO:                    Charles E. Johnson\n                       Chief Financial Officer\n\n                       Luis A. Luna\n                       Assistant Administrator for\n                       Administration and Resources Management\n\nThis is our final report on the PeoplePlus security controls audit conducted by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA). This audit report\ncontains findings that describe problems the OIG has identified and corrective actions the OIG\nrecommends. This audit report represents the opinion of the OIG, and the findings in this audit\nreport do not necessarily represent the final EPA position. EPA managers, in accordance with\nestablished EPA audit resolution procedures, will make final determinations on matters in this\naudit report.\n\nAction Required\n\nThe Action Officials do not have to provide a response to this report. The Agency\xe2\x80\x99s response to\nthe draft report contained an adequate corrective action plan with milestone dates to implement\nthe plan. We have no objection to further release of this report to the public. For your\nconvenience, this report will be available at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact me at\n(202) 566-0893.\n\x0c                                  Table of Contents \n\nAt a Glance\n\n\nChapters\n   1\t   Introduction ...........................................................................................................      1             \n\n\n                Purpose ..........................................................................................................    1                 \n\n                Background ....................................................................................................       1                 \n\n                Scope and Methodology.................................................................................                2                 \n\n                Results in Brief ...............................................................................................      2                 \n\n\n   2\t   Further Steps Needed to Improve User Account Management ........................                                              3             \n\n\n                Managing Access Privileges ..........................................................................                 3                 \n\n                Monitoring Changes in System Access ..........................................................                        4\n\n                Processing Access Requests .........................................................................                  4                 \n\n                Online Security Policy Enforcement and System Access Definitions Are \n\n                   Ineffective .................................................................................................      5             \n\n                Recommendations .........................................................................................             5                     \n\n                Agency Comments and OIG Evaluation.........................................................                           6\n\n\n  3\t    Improvements Needed in Contractor Background Screening Process ..........                                                     7         \n\n\n                EPA Did Not Follow Contractor Background Screening Procedures .............                                           7\n\n                Recommendations .........................................................................................             8                 \n\n                Agency Comments and OIG Evaluation.........................................................                           8\n\n\n  4\t    Improvements Needed for Default User IDs and \n\n        Security Administrator Duties .............................................................................                   9         \n\n\n                Default User IDs Not Secured ........................................................................                 9\n\n                Security Administrator Performs Incompatible Duties ....................................                             10 \n\n                Recommendations .........................................................................................            10                 \n\n                Agency Comments and OIG Evaluation.........................................................                          11 \n\n\n\n\nAppendices\n   A    Agency Criteria .....................................................................................................        12     \n\n\n   B    Agency Response to Draft Report.......................................................................                       13     \n\n\n   C    Distribution ............................................................................................................    22     \n\n\x0c                                 Chapter 1\n                                  Introduction\nPurpose\n          Our objectives were to determine whether: (1) the Environmental Protection\n          Agency (EPA) adequately configured PeoplePlus\xe2\x80\x99 application security and\n          technical infrastructure to protect the confidentiality, integrity, and availability of\n          system data; and (2) implemented controls were working as intended.\n\nBackground\n          PeoplePlus (PPL) is the EPA\xe2\x80\x99s new integrated human resources (HR), benefits,\n          payroll, and time and labor system that is managed jointly by the Office of the\n          Chief Financial Officer (OCFO) and Office of Administration and Resources\n          Management (OARM). The system processes the data to comply with Federal,\n          State, and EPA reporting requirements.\n\n          As both the HR and payroll system, PPL contains confidential personnel\n          information, such as names, addresses, Social Security numbers, and employee\n          IDs. In this regard, EPA classified PPL\xe2\x80\x99s data sensitivity level as high for\n          confidentiality, integrity, and availability because:\n\n              \xe2\x80\xa2\t The Privacy Act requires protection of the personnel information in the\n                 system;\n\n              \xe2\x80\xa2\t Miscalculation of payroll and entitlements could occur due to inaccurate\n                 or erroneously modified data; and\n\n              \xe2\x80\xa2\t Unavailability of data would adversely affect the Agency\xe2\x80\x99s ability to make\n                 financial payments, address benefits issues, or meet internal reporting\n                 requirements.\n\n          EPA established policies to guide its employees and contractors on controlling\n          and securing access to the PPL system, as well as the network and other Agency\n          information resources. OCFO developed procedures for online access to the\n          system. OCFO also developed the PPL Security Plan, which details the\n          managerial, operational, and technical controls for securing PPL. Likewise, EPA\n          created a network security policy that establishes controls to ensure a secure\n          network infrastructure. The Agency\xe2\x80\x99s Information Security Manual sets forth\n          requirements for securing information resources in accordance with EPA and\n          Federal policies. Appendix A contains a summary of key Agency policies.\n\n\n\n\n                                             1\n\n\x0cScope and Methodology\n           We conducted this audit from November 2004 to April 2005 at EPA Headquarters\n           in Washington, DC. We interviewed Agency personnel and contractors\n           responsible for processing HR and payroll transactions and securing the\n           application. We reviewed Agency policies, procedures, reports, and forms used\n           to grant users system access and enforce system security. We conducted system\n           walkthroughs of user functionality and selected a judgmental sample of functional\n           users within the Office of Financial Services (OFS) and the Office of Human\n           Resources (OHR) to evaluate their system access. Functional users are EPA\n           employees or contractors that have special access to PeoplePlus in order to\n           process human resources, time keeping, or payroll transactions; or perform system\n           security maintenance. This audit was conducted in accordance with Government\n           Auditing Standards, issued by the Comptroller General of the United States.\n\nResults in Brief\n           Program offices had not followed prescribed procedures to limit employees\xe2\x80\x99\n           system access, monitor changes in employees\xe2\x80\x99 system needs, process system\n           access requests, or conduct background screenings on contractors. We identified\n           the following additional weaknesses: (1) program offices did not develop\n           procedures to carry out their assigned system responsibilities, and (2) personnel\n           required additional training to perform their assigned duties. Without restricting\n           user access to the minimal set of privileges necessary, users could circumvent the\n           organizational security policy in order to expose the Agency to attacks or damage\n           the information technology (IT) infrastructure.\n\n           Furthermore, EPA implemented PPL without adequately implementing security\n           controls for two key system maintenance processes. OCFO had not properly\n           secured default user IDs shipped with the system. A user ID is a number or name,\n           which is unique to a particular PeoplePlus user. Furthermore, OCFO had not\n           separated incompatible duties performed by the Security Administrator. During\n           system development, EPA did not conduct an analysis to: (1) determine which\n           default accounts were necessary to operate the system, (2) develop a strategy to\n           mitigate the risks associated with prepackaged default accounts, and (3) design\n           controls to ensure one person could not authorize or approve system changes\n           without detection. EPA places itself at greater risk because an employee could\n           use the IDs or incompatible duties to bypass implemented controls without\n           detection and undermine the integrity of the data processed through the system.\n\n           We made 13 recommendations to improve PPL security controls. EPA concurred\n           with all of our recommendations and provided a plan of action to address\n           concerns. We included EPA\xe2\x80\x99s complete response as Appendix B.\n\n\n\n\n                                            2\n\n\x0c                               Chapter 2\n    Further Steps Needed to Improve User Account\n                    Management\n         EPA did not effectively manage PPL user system access. Specifically, OCFO and\n         OARM had not followed prescribed procedures for managing user access\n         privileges, monitoring changes in employee system access needs, or granting\n         users access consistent with requests. This occurred because Agency personnel\n         did not conduct required tasks, such as: (1) verifying employee access requests to\n         assigned responsibilities, (2) reviewing user access needs on a quarterly basis,\n         (3) monitoring the changes in employee duties, and (4) maintaining\n         documentation to support access to the system. This led to excessive \xe2\x80\x93\n         unnecessary or incompatible \xe2\x80\x93 system access, which could allow users to\n         circumvent implemented security controls and increases the likelihood that errors\n         or wrongful acts go undetected.\n\nManaging Access Privileges\n         PPL functional users received more system access than necessary to perform their\n         job responsibilities. Several employees had system access privileges that gave\n         them the capability to perform unnecessary or incompatible functions. For\n         example:\n\n             \xe2\x80\xa2\t OCFO employees, whose access should have been limited to entering\n                data, had the ability to approve data as well. Specifically, two OCFO\n                employees within the Payroll Management section could calculate and\n                confirm pay sheets in addition to the ability to review and approve these\n                same payroll transactions. In addition, one of these employees had access\n                that allowed that person to perform incompatible time-keeping and\n                approving functions. With this access, the employee could record hours\n                worked, and verify and approve data on employee time sheets. We also\n                noted that approximately 44 other employees had access to these same\n                incompatible time-keeping and approving functions. However, we did\n                not verify to what extent these other employees were using this access.\n\n             \xe2\x80\xa2\t OARM gave a user system access to critical HR functions, with the\n                ability to input personnel action requests (PARs); although the employee\n                only needed the ability to generate reports.\n\n             \xe2\x80\xa2\t Several system development contractors have functional user roles (a\n                specific set of rights and privileges) within the production environment.\n                These roles provide the contractors with the ability to process general\n\n\n                                          3\n\n\x0c                 payroll transactions, update employee pay records, and review and\n                 approve individual payroll transactions. The contractors also have the\n                 ability to record and approve hours worked on employee time sheets,\n                 process PAR transactions, and manage employee records.\n\nMonitoring Changes in System Access\n         EPA did not remove system access after users either transferred to other offices or\n         were assigned different job responsibilities. These employees retained their\n         previous system access privileges, although they did not need the access for their\n         current duties. For instance:\n\n            \xe2\x80\xa2\t OCFO had not requested the removal of full system access for a contractor\n               recently assigned to other duties. Although the contractor needed elevated\n               access during system validation, the office took no action to reduce the\n               contractor\xe2\x80\x99s access once EPA placed PPL into production.\n\n            \xe2\x80\xa2\t The OCFO Payroll Supervisor, with access to key payroll processing\n               functions, transferred to the Office of Research and Development in\n               November 2004. However, neither office took action to ensure the\n               employee\xe2\x80\x99s system access was consistent with their duties; although\n               Agency policy requires this analysis. In addition, OCFO had not updated\n               system access privileges for the current Payroll Supervisor, who\n               transferred from the Systems Planning and Integration Staff group.\n\nProcessing Access Requests\n         EPA had not correctly processed user access request forms for 79 percent (11 of\n         14) of the users in our sample. Although EPA granted functional users system\n         access to key HR and payroll functions, we found Security Administrators did not\n         maintain or process system access documentation in accordance with prescribed\n         procedures. We selected a sample of 14 functional users to validate whether EPA\n         processed access requests according to prescribed policies. As indicated in\n         Table 1, EPA granted system access in accordance with prescribed policies\n         21 percent of the time. For the remainder of the users, EPA granted system\n         access either without adequately prepared (unavailable or unsigned)\n         documentation or inconsistent with the requests.\n\n         Table 1 - Analysis of PeoplePlus System Access Forms\n\n          Access Granted:                          Number         Percent\n            With Adequate Documentation              3               21\n             Without Adequate Documentation            7             50\n             Inconsistent with Requests                4             29\n          Total                                       14            100\n\n\n\n\n                                          4\n\n\x0cOnline Security Policy Enforcement and System Access Definitions\nAre Ineffective\n          EPA has not managed user accounts effectively because personnel did not follow\n          existing security policies and system access user roles were not adequately\n          developed.\n\n          Although OCFO provided broad overarching guidance for securing the PPL\n          system, program offices carry out these responsibilities inconsistently. As a\n          result, personnel did not conduct required tasks such as: (1) verifying employee\n          access requests to assigned responsibilities; (2) reviewing user access needs\n          quarterly; (3) monitoring the changes in employee duties; and (4) maintaining\n          documentation to support access to the system.\n\n          EPA\xe2\x80\x99s analysis of user access requirements to develop system access roles was\n          inadequate. In many cases, we found EPA developed system access roles based\n          on the employee duties in the separate HR and Payroll systems as opposed to the\n          access needed for the new combined system. In addition, EPA developed generic\n          system access roles to perform a series of related tasks and then gave employees\n          this access regardless of whether they performed those duties.\n\n          Inconsistent compliance with security guidance and inadequate user role\n          development led to excessive user access privileges. Although EPA implemented\n          procedures to monitor payroll processing, an employee with excessive privileges\n          could inappropriately change payments to individuals if the review procedures are\n          not followed or enforced. In addition, excessive access provides employees with\n          unnecessary opportunities to circumvent system security and sets the stage for\n          situations where errors or wrongful acts could go undetected.\n\nRecommendations\n        We recommend the Director of the Office of Financial Services:\n\n          2-1 \t   Conduct and document an analysis of functional user system access\n                  requirements to create appropriate roles that restrict employee access to\n                  necessary functionality.\n\n          2-2 \t   Assign all current system users to the appropriate roles.\n\n          We recommend the Directors of the Office of Human Resources and the Office of\n          Financial Services:\n\n          2-3 \t   Develop and publish a joint policy memorandum to all staff reinforcing\n                  established policies and procedures outlined in the PPL Security Plan and\n                  Online Access Guide.\n\n\n\n                                            5\n\n\x0c         2-4   Develop and implement a strategy to increase managers\xe2\x80\x99 awareness of\n               security responsibilities assigned to their employees.\n\n         2-5   Provide in-depth training for the assigned PPL Access Coordinators and\n               Security Administrators. Establish milestone dates when all PPL Access\n               Coordinators and Security Administrators will complete the training.\n\n         2-6   Establish milestone dates when offices will implement the required\n               quarterly reviews of user system access.\n\n         2-7   Conduct and document an evaluation of system access needs for system\n               development contractors with access to the production environment.\n               Establish, document, and implement controls to limit and monitor\n               contractor access.\n\nAgency Comments and OIG Evaluation\n\n               The Directors of both OFS and OHR concurred with our seven\n               recommendations to improve PPL user account management. The Agency\n               has completed some analysis of functional user roles and completion dates\n               for corrective actions to address our remaining recommendations. The\n               corrective actions planned are appropriate and will adequately address the\n               recommendations.\n\n\n\n\n                                        6\n\n\x0c                               Chapter 3\n      Improvements Needed in Contractor Background\n                   Screening Process\n         EPA did not ensure that contractors obtained an appropriate background check\n         before granting them access to PPL. Our review indicated that offices granted\n         contractors access to the system without verifying whether contractor personnel\n         had the required National Agency Check with Inquiries and Credit (NACIC).\n         These weaknesses occurred because the Agency did not follow the procedures\n         outlined in the online access policy. These weaknesses in basic controls have the\n         potential to undermine an essential part of the system\xe2\x80\x99s security.\n\nEPA Did Not Follow Contractor Background Screening Procedures\n         EPA did not ensure contractors obtained the required background check before\n         granting them access to PPL. We reviewed the background check status for all\n         OCFO and OARM contractors with system access. We found that for 10 of 22\n         contractors (45 percent), the program offices authorized access to the system\n         without verifying the contractor had completed the Agency-required NACIC\n         background check.\n\n         These weaknesses occurred because neither program office followed the\n         procedures outlined in the online access policy. Specifically, we found that the\n         Task Order Project Officers (TOPOs), responsible for authorizing and requesting\n         system access, needed additional training on EPA-prescribed contractor\n         background screening procedures. In addition, OARM did not establish\n         procedures to follow up on requested background screening checks for contractors\n         given temporary system access.\n\n         Because intentional and unintentional employee actions are the primary cause of\n         disruptions of information system integrity and operation, security controls should\n         provide reasonable assurance that systems are safeguarded. Although not\n         infallible, background checks serve as a basic control to determine whether\n         contractors are suitable to have access to sensitive Agency information. These\n         checks are an integral part of an overall system of controls to protect the\n         confidentiality, integrity, and availability of information systems.\n\n         Furthermore, while authorizing temporary system access is sometimes necessary,\n         offices should use it sparingly and monitor it to maintain internal controls. By not\n         implementing processes to follow up and promptly remove the access when no\n         longer required, management places EPA in greater risk that unscrupulous\n         individuals could undermine the integrity of the system.\n\n\n\n\n                                          7\n\n\x0cRecommendations\n         We recommend that the Directors of the Office of the Human Resources and the\n         Office of Financial Services:\n\n         3-1 \t   Develop, implement, and document a formal training program for the\n                 personnel responsible for requesting and approving contractor personnel\n                 access to PPL. Ensure that all TOPOs receive the training.\n\n         3-2 \t   Develop, implement, and document specific procedures for processing\n                 contractor personnel background screening requests.\n\n         3-3 \t   Develop and implement a monitoring process for contractors granted\n                 temporary access to PPL.\n\n         3-4\t    Establish a milestone date to complete NACIC security\n                 screenings for all contractor personnel with system access.\n\nAgency Comments and OIG Evaluation\n                 The Directors of both OFS and OHR concurred with our four\n                 recommendations to improve the contractor background screening\n                 process. The Agency has completed all NACIC security screenings for\n                 the contractor personnel we identified in the report as not having a verified\n                 background check. The Agency established target dates for addressing\n                 our remaining recommendations. The corrective actions planned are\n                 appropriate and will adequately address the recommendations.\n\n\n\n\n                                           8\n\n\x0c                               Chapter 4\n    Improvements Needed for Default User IDs and\n           Security Administrator Duties\n          EPA implemented PPL without adequately developing security controls for\n          default user IDs and adequately separating incompatible duties performed by the\n          Security Administrator. By not controlling special access accounts and\n          adequately separating duties, a person could bypass implemented controls without\n          detection and undermine the integrity of the data.\n\nDefault User IDs Not Secured\n\n          EPA has not secured default user IDs, which allow users to by-pass security\n          controls. Default user IDs are of two types: \xe2\x80\x9cSuper User IDs\xe2\x80\x9d and \xe2\x80\x9cUser IDs.\xe2\x80\x9d\n          Super User IDs have unrestricted access to the system. User IDs provide\n          unlimited access for specific application modules, such as HR or Payroll. Our\n          review disclosed that 7 of 9 (78 percent) IDs listed in a Security Administrator\n          account were default user IDs. Although the Security Administrator changed the\n          account passwords and locked some accounts, we found three of the default user\n          IDs were still active.\n\n          Like many enterprise resource planning applications, PPL comes with multiple\n          default user IDs with passwords set to commonly known factory settings. The\n          manufacturer delivered the PPL software to EPA with default user IDs and\n          passwords. According to industry security best practices, the Agency should have\n          appropriately secured the default user IDs and passwords, by: (1) locking, (2)\n          removing, or (3) changing them as part of the system implementation process.\n          Immediate and proper identification and maintenance of these IDs, especially\n          Super User IDs, are vital to the security of the application. With knowledge of\n          the system\xe2\x80\x99s configuration and access to EPA\xe2\x80\x99s network, a person could use a\n          default user ID to exploit PPL.\n\n          Although EPA developed a system security plan and provided broad overarching\n          security guidance, we found that key security documents were either not prepared\n          or unavailable for review. Specifically, EPA had not prepared an analysis of the\n          design and assignment of permissions and roles within the system. In this regard,\n          EPA had not documented which default IDs were necessary for the system to\n          process HR and payroll transactions or the remediation actions necessary to\n          secure those accounts not needed.\n\n\n\n\n                                          9\n\n\x0cSecurity Administrator Performs Incompatible Duties\n\n          Our analysis determined that one Security Administrator had system access and\n          responsibilities for three incompatible, critical security functions. These functions\n          should be separate to ensure that no one person has complete control over the\n          implementation of program changes without detection. A Security Administrator\n          responsible for implementing user roles could inadvertently or deliberately obtain\n          access to PPL functions that are not in accordance with management policies.\n          Specifically, this particular Security Administrator was responsible for:\n\n             \xe2\x80\xa2   Creation and maintenance of roles and permission lists;\n\n             \xe2\x80\xa2   Migration of roles and permission lists into the production stage; and\n\n             \xe2\x80\xa2   Creation and maintenance of user profiles.\n\n          The performance of incompatible duties is a common security concern, but is\n          further heightened when an employee with control over the system performs the\n          duties. The Security Administrators are one of the pillars of an effectively\n          implemented system of controls. Because of this, EPA places itself at greater risk\n          when a Security Administrator performs incompatible duties that are vital to the\n          underlying security of the application. In addition, the potential exists that system\n          changes could occur and go undetected which could undermine the controls\n          management must rely upon for the integrity of the information processed by the\n          system.\n\n          As previously stated, EPA had not adequately described the design and\n          assignment of permission lists and roles within the system. Furthermore, EPA\n          had not: (1) analyzed Security Administrator responsibilities to ensure one\n          employee was not performing incompatible duties, (2) assigned duties between\n          the two Security Administrators, and (3) provided sufficient training to security\n          personnel to perform these duties.\n\nRecommendations\n          We recommend that the Director of the Office of Financial Services:\n\n          4-1\t   Conduct and document an analysis of default user IDs to determine the\n                 necessity for each default account and deactivate default user IDs as\n                 appropriate.\n\n          4-2\t   Conduct and document an analysis of Security Administrator\n                 responsibilities and assign duties in a manner that provides adequate\n                 separation of duties.\n\n\n\n                                           10\n\n\x0cAgency Comments and OIG Evaluation\n         The Director of OFS concurred with our two recommendations to review the\n         status of default user IDs and to analyze Security Administrator responsibilities\n         for adequate separation of duties. The Agency has completed an analysis of\n         default user IDs and has planned a completion date for conducting and\n         documenting a thorough analysis of Security Administrator responsibilities. The\n         corrective action planned is appropriate and will adequately address the remaining\n         recommendation.\n\n\n\n\n                                         11\n\n\x0c                                                                                      Appendix A\n\n                                   Agency Criteria\nOffice of Financial Management, Policy Announcement No. 04-01, Policies and Procedures\nfor Online Access to EPA\xe2\x80\x99s Integrated Human Resources, Benefits, Payroll, Time and\nLabor Management System-PeoplePlus, provides procedures for online access to the system.\nIn addition, the Policy provides procedures for requesting and changing user IDs, passwords, and\naccess; security training for PPL access coordinators and users; and responsibilities of\nindividuals with system access. Specifically, Security Administrators are responsible for\nverifying that requested access is limited to the performance of a user\xe2\x80\x99s assigned responsibilities,\nmonitoring adherence to the policies and procedures contained in this Policy, and conducting an\nannual review of system online security functions. The Agency should monitor any changes to\nauthorized users\xe2\x80\x99 employment status or changes in the duties affecting their access, conduct\nquarterly reviews of user access needs to ensure only those authorized functions that are required\nto perform their current duties are retained in their security profiles, and retaining copies of the\nuser access request forms. The Policy also identifies maintaining and ensuring adequate\nsegregation of duties as a vital procedure for controlling access to the system. Additionally,\nprogram offices are required to ensure contractor personnel have, at a minimum, a NACIC\nbackground screening before granting access to PPL.\n\nOffice of Chief Financial Officer/Office of Administration Resources Management,\nPeoplePlus (PPL) Security Plan, details the managerial, operational, and technical controls for\nsecuring the PPL system. This document describes personnel security requirements as well as\nthe requirements for segregation of duties and minimal privileges. The Security Administrators\nare responsible for reviewing the requests to provide reasonable assurance that unnecessary\nprivileges are not granted. In addition, the Security Administrators are responsible for reviewing\naccess lists quarterly to verify that users continue to need access. User access must be restricted\nto the minimum necessary to perform the job. At a minimum, any contractor support must pass\nthe NACIC background check before gaining access to PPL.\n\nEPA Order No. 2195.1 A4, Network Security Policy, establishes basic controls to ensure a\nsecure network infrastructure. It specifies that: (1) access authorizations and controls must\nfollow the principles of \xe2\x80\x9cneed-to-know,\xe2\x80\x9d \xe2\x80\x9cneed-to-perform,\xe2\x80\x9d and \xe2\x80\x9cleast privilege\xe2\x80\x9d in relation to\nfunctional requirements; (2) access authorizations must be documented; and (3) authorizations\nand associated authentication methods must be periodically reviewed, tested, and verified. In\naddition, the Policy specifies that network procedures, standards, and operating practices for\nimplementation of this policy are consistent with National Institute for Standards and\nTechnology requirements, and documented industry standards and best practices.\n\nEPA\xe2\x80\x99s Information Security Manual sets forth requirements and guidance for securing Agency\ninformation resources in accordance with EPA and Federal security policies and mandates.\nSpecifically, the policy lists requirements for personnel screening, logical access controls, and\nestablishing proper segregation of duties.\n\n\n\n\n                                                12\n\n\x0c                                                                                     Appendix B\n\n                   Agency Response to Draft Report\n\n\n                                              July 20, 2005\n\n\nMEMORANDUM\n\nSUBJECT:       P\n               \t eoplePlus Security Controls Audit Report\n\nFROM: \t        Milton Brown, Director /s/\n               Office of Financial Services (2734R)\n\n               Rafael DeLeon, Director /s/    \n\n               Office of Human Resources (3610A) \n\n\nTO: \t          Rudolph M. Brevard, Acting Director\n               Business Systems Audits\n               Office of Inspector General (2421T)\n\n        We thank you for the opportunity to review and provide comments on the PeoplePlus\n(PPL) Security Controls Draft Audit Report (Assignment No. 2005-00342). The Office of\nFinancial Services (OFS) and the Office of Human Resources (OHR) support the specific audit\nobjectives: \xe2\x80\x9cto determine whether: (1) the Environmental Protection Agency (EPA) adequately\nconfigured People Plus application security and technical infrastructure to protect the\nconfidentiality, integrity, and availability of system data; and (2) implemented controls were\nworking as intended.\xe2\x80\x9d Based on already planned actions and the audit findings, we will continue\nto improve security policies, training, and general oversight of PPL security. In addition, OFS\nwill work with users and payroll staff to address concerns and implement improved compliance\nof the system.\n\n       The report identifies issues with controls that it claims are commonly bypassed and\nlacking in management oversight. The report implies that problems are commonplace and places\nthe Agency at substantial risk. We believe this is subject to interpretation and is overstated.\nManagement in the Office of the Chief Financial Officer (OCFO) and the Office of\nAdministration and Resources Management (OARM) take the integrity and privacy of\nemployees\xe2\x80\x99 personnel and payroll data very seriously, and our staffs understand the importance\nof maintaining data integrity.\n\n        The report also states that actions that might be allowed by users with excessive\nprivileges could create system compromises \xe2\x80\x9cwithout detection\xe2\x80\x9d. As was provided in earlier\ndraft responses, all payroll actions are audited, and if a supervisor or security administrator\n\n\n\n\n                                                13\n\n\x0ccaused inappropriate or adverse actions to occur, full audit records are available to the Agency\npayroll audit team. In no case does any action go undetected.\n\n        In addition, the report implies that security role development and role/default account\nmanagement were haphazard and lacking in attention to detail. The report does not reflect the\namount of attention placed on security controls. While these areas need to be reviewed and\nupdated now that the system is in full production, OFS spent considerable time and attention\nestablishing and working on these areas prior to implementation.\n\n        Attached is our response to your recommendations presented to us in the draft audit\nreport. We again appreciate the opportunity to work through the issues and we appreciate your\nconsideration of our comments on the audit.\n\n       If you have any questions or require additional information or clarification concerning\nour response, please contact Sheila Bullock, Office of Financial Services on (202) 564-5202 and\nBrenda Daly, Office of Human Resources on (202) 564-6290.\n\nAttachment\n\ncc: \tRaffael Stein       2734R\n     Janice Kern         2734R\n     Jayna Alexander     2734R\n     Carline Ransom      2734R\n     Sheila Bullock      2734R\n     Corey Costango      2421T\n     Warren Brooks       2421T\n     William Coker       2421T\n     Mike Hamlin         3631M\n     Jeuli Bartenstein   3631M\n     Brenda Daly         3631M\n     Dennis Nolan        2733R\n     Richard Bennett     2733R\n     Joseph L. Dillon    2731A\n     Krista Mainess      2710A\n     Larry Burnham       2710A\n\n\n\n\n                                                14\n\n\x0c                                                                   Attachment\n\n                            Responses to Recommendations\n\n\nNo. Recommendation       Concur Responsible Planned              Comments\n                         / Non-   Office         Completion\n                         Concur                  Date\nWe recommend the Director of the Office of Financial Services:\n2-1 Conduct and                                                  We have performed an\n     document an                                                 analysis of functional user\n     analysis of         Concur OFS                              system access requirements\n     functional user                                             to create appropriate roles\n     system access                               06/30/2005      associated\n     requirements to                                             with job functionality.\n     create appropriate                          07/31/2005\n     roles that restrict                                         Payroll roles were\n     employee access to                          08/31/2005      completed as of 6/30/05.\n     necessary\n     functionality.                              08/31/2005      The Help Desk roles will\n                                                                 be completed by 7/31/05\n                                                                 and\n\n                                                                 Time & Labor roles will be\n                                                                 completed by 8/31/05.\n\n                                                             All roles will be\n                                                             documented by 08/31/05.\n2-2 Assign all current                                       All current system users\n     system users to the Concur OFS              08/31/2005 will be assigned to\n     appropriate roles.                                      appropriate roles. In\n                                                             addition, those anomalies\n                                                             identified in the IG\n                                                             Report has been corrected.\n                                                             We will continue to\n                                                             monitor security access to\n                                                             ensure that these\n                                                             inconsistencies do not\n                                                             occur again.\nWe recommend the Directors of the Office of the Human Resources and the Office of\nFinancial Services:\n2-3 Develop and                                              OFS and OHR will work\n     publish a joint                                         together to develop and\n     policy              Concur OFS/OHR          08/31/2005 publish a joint policy\n     memorandum to all                                       memorandum to re\n     staff reinforcing                                       emphasize to staff the\n\n\n                                           15\n\n\x0c      established policies                                    importance of the guidance\n      and procedures                                          provided in the PPL\n      outlined in the PPL                                     Security Plan and Policy\n      Security Plan and                                       Announcement 04-01\n      Online Access                                           (Policies and Procedures\n      Guide.                                                  for On-Line Access to\n                                                              EPA\xe2\x80\x99s Integrated Human\n                                                              Resources, Benefits,\n                                                              Payroll, Time and Labor\n                                                              Management System-\n                                                              PeoplePlus).\n2-4   Develop and                                             OFS and OHR are working\n      implement a                                             together to develop and\n      strategy to increase   Concur   OFS/OHR    08/31/2005   implement a strategy to\n      managers\xe2\x80\x99                                               increase managers\xe2\x80\x99\n      awareness of                                            awareness of the PPL\n      security                                                security responsibilities\n      responsibilities                                        assigned to their\n      assigned to their                                       employees.\n      employees.                                              Implementation of this\n                                                              strategy is scheduled to\n                                                              begin on 07/29/05. We\n                                                              will include this in the PPL\n                                                              manager training planned\n                                                              for August.\n2-5   Provide in-depth                                        We are in the process of\n      training for the                                        providing in-depth training\n      assigned PPL           Concur   OFS/OHR    08/31/2005   for the PPL Access\n      Access                                                  Coordinators. The Security\n      Coordinators and                                        Administrators will also be\n      Security                                                provided training as\n      Administrators.                                         appropriate.\n      Establish milestone\n      dates when all PPL                         Completed    Please note the completed\n      Access                                                  training for the OFS and\n      Coordinators and                           Completed    OHR Security\n      Security                                                Administrators.\n      Administrators will                        Completed\n      complete the                                            OFS Security\n      training.                                  Completed    Administrator\n                                                                - PeopleSoft Security\n                                                 Completed    Training version 8.12\n                                                                  September 10-12, 2002\n                                                 Completed      - PeopleSoft Security\n                                                              Training July 12-14, 2005\n                                                              OHR Security\n\n\n\n                                           16\n\n\x0c                                                             Administrator\n                                                               - PeopleSoft Security\n                                                             Training version 8.12\n                                                                 April 27, 2002\n                                                                - PeopleSoft Security\n                                                             Training version 8.4\n                                                                  March 2, 2004\n                                                               - Attended IT Security\n                                                             and Operations conference\n                                                                  May 17-21, 2004\n                                                               - Attended IT Security\n                                                             and Operations conference\n                                                             (ISO)\n                                                                  April 11-14, 2005\n\n2-6   Establish milestone                                    The required quarterly\n      dates when offices    Concur   OFS/OHR    08/31/2005   reviews will be conducted\n      will implement the                                     for contractors and\n      required quarterly                                     functional users. In\n      reviews of user                                        addition, quarterly\n      system access.                                         reminders of the policy and\n                                                             procedures for maintaining\n                                                             PPL access will be\n                                                             provided to the PPL Access\n                                                             Coordinators.\n\n\n                                                             The milestone dates for\n                                                             quarterly reviews and\n                                                             reminders are:\n                                                             September 20, 2005\n                                                             June 30, 2006\n                                                             December 31, 2005\n                                                             September 20, 2006\n                                                             March 31, 2006\n                                                             December 31, 2006\n\n2-7   Conduct and                               07/31/2005   OFS and OHR will conduct\n      document an                                            and document an\n      evaluation of         Concur   OFS/OHR                 evaluation of system access\n      system access                             07/31/2005   needs for system\n      needs for system                                       contractors.\n      development\n      contractors with                                       We will also establish,\n      access to the                                          document, and implement\n      production                                             controls to ensure\n\n\n\n                                          17\n\n\x0c      environment.                                             contractor access is limited\n      Establish,                                               and based on current\n      document, and                                            responsibilities.\n      implement controls\n      to ensure contractor                                     Please note that controls\n      access is limited                                        exist today to monitor and\n      and monitored.                                           track contractor access\n                                                               through the audit log.\n                                                               (Currently this function is\n                                                               performed biweekly.) This\n                                                               will formalize our\n                                                               procedures.\n3-1   Develop,                                                 OFS and OHR will\n      implement, and                                           develop, implement, and\n      document a formal                                        document a formal training\n      training program       Concur   OFS/OHR     08/31/2005   plan for the personnel\n      for the personnel                                        responsible for requesting\n      responsible for                                          and approving contractor\n      requesting and                                           personnel access to PPL.\n      approving                                                In addition, we will ensure\n      contractor                                               that the TOPOs receive\n      personnel access to                                      training.\n      PPL. Ensure that\n      all Task Order\n      Project Officers\n      (TOPO) receive the\n      training.\n3-2   Develop,               Concur   OFS/OHR     On-Going     OFS and OHR will\n      implement, and                                           document and continue to\n      document specific                                        implement specific Agency\n      procedures for                                           procedures such as the SF\n      processing                                               85 process, and the OF-306\n      contractor                                               process, as well as the\n      personnel                                                funding procedures\n      background                                               necessary to complete these\n      screening requests.                                      tasks.\n3-3   Develop and                                              It is OHR\xe2\x80\x99s responsibility\n      implement a                                              to implement the\n      monitoring process     Concur   OHR         10/2005      Homeland Security\n      for contractors                                          Presidential Directive\n      granted temporary                                        (HSPD-12), Policy for a\n      access to PPL.                                           Common Identification\n                                                               Standard for Federal\n                                                               Employees and\n                                                               Contractors. The Policy\n                                                               requires that EPA\xe2\x80\x99s non\n\n\n                                            18\n\n\x0c                                                            Federal workers undergo\n                                                            Federally-sponsored\n                                                            background checks before\n                                                            being issued smart cards\n                                                            that will permit access to\n                                                            our facilities and\n                                                            information systems.\n                                                            EPA\xe2\x80\x99s implementation plan\n                                                            has been submitted to the\n                                                            Office of Management and\n                                                            Budget (OMB), with\n                                                            implementation expected in\n                                                            October. We believe that\n                                                            our efforts will result in a\n                                                            comprehensive Agency\n                                                            program for non-Federal\n                                                            worker background checks\n                                                            consistent with HSPD-12.\n                                                            Also, we will implement a\n                                                            monitoring process which\n                                                            will perform periodic\n                                                            checks on the status of the\n                                                            NACICs for all contractors\n                                                            that have been granted\n                                                            temporary access to\n                                                            PeoplePlus.\n\n3-4   Establish a                                           As of 06/30/2005, OFS and\n      milestone date to    Concur   OHR         Completed   OHR completed all NACIC\n      complete                                              security screenings for all\n      documented                                            contractor personnel with\n      NACIC security                                        system access (See Chapter\n      screenings for all                                    3 of Audit Report). We\n      contractor                                            feel that the need for key\n      personnel with                                        milestones are no longer\n      system access.                                        relevant due to the fact that\n                                                            we are following the EPA\n                                                            Information Security\n                                                            Manual 2195A1, 1999\n                                                            Edition, page 68, which\n                                                            states:\n\n                                                            \xe2\x80\x9cThe NACIC screening\n                                                            must occur prior to\n                                                            providing contractor\n                                                            personnel with access to\n\n\n\n                                          19\n\n\x0c                                                                 EPA systems. Contractor\n                                                                 personnel must submit\n                                                                 required background\n                                                                 investigation\n                                                                 documentation within ten\n                                                                 (10) days after initiation of\n                                                                 contract. To avoid\n                                                                 unnecessary delays, new\n                                                                 contractor personnel may\n                                                                 begin work while the OPM\n                                                                 screening is in progress,\n                                                                 provided contractor\n                                                                 personnel have already\n                                                                 completed pre-screening\n                                                                 requirements by their\n                                                                 employer.\xe2\x80\x9d\n                                                                 We will develop a process\n                                                                 to monitor the status of the\n                                                                 NACIC.\n\nWe recommend that the Director of the Office of Financial Services:\n4-1 Conduct and                                                 On 06/23/05, we conducted\n     document an          Concur OFS              Completed     and documented an\n     analysis of default                                        analysis of default user IDs\n     user IDs to                                                to determine the necessity\n     determine the                                              for each default account\n     necessity for each                                         (See Chapter 4 of Audit\n     default account and                                        Report). Based on the\n     deactivate default                                         analysis it was determined\n     user IDs as                                                that three IDs were not\n     appropriate.                                               locked and of the three, we\n                                                                locked two and the\n                                                                passwords were changed.\n                                                                The third user ID could not\n                                                                be locked because it is used\n                                                                to create User Accounts.\n                                                                However, the access was\n                                                                restricted to the Security\n                                                                Administrator in a different\n                                                                name. In addition, the\n                                                                Default User IDs\n                                                                passwords will be changed\n                                                                quarterly \xe2\x80\x93 every 90 days.\n4-2 Conduct and                                                 OFS will conduct and\n     document an          Concur OFS/OHR          07/31/2005 document a thorough\n     analysis of Security                                       analysis of Security\n\n\n                                             20\n\n\x0cAdministrator                 Administrator\nresponsibilities and          responsibilities and assign\nassign duties in a            duties in a manner that\nmanner that                   provides adequate\nprovides adequate             separation of duties.\nseparation of duties.\n                              Please note that the\n                              Security Administrator is a\n                              special and complex case.\n                              Any user with super user\n                              privilege presents\n                              separation of duties and\n                              trust issues in any\n                              production system\n                              environment with sensitive\n                              or financial data.\n\n\n\n\n                        21\n\n\x0c                                                                            Appendix C\n\n\n\n                                    Distribution\nOffice of the Administrator\nDirector, Office of Financial Services\nDirector, Office of Human Resources\nAudit Coordinator, Office of the Chief Financial Officer\nAudit Coordinator, Office of Administration and Resources Management\nDirector, Technical Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nInspector General\n\n\n\n\n                                             22\n\n\x0c'